Senior Systems Engineer

Description

Summary: This Systems Engineer role involves owning network-facing infrastructure, integrating with ISPs, and ensuring robust internet access through RADIUS proxy architecture and provisioning pipelines. Highlights: 1. Own critical network-facing infrastructure for ISP internet access. 2. Work at the intersection of network and systems engineering. 3. Leverage AI tools in core engineering workflows. **About Share** =============== Share is a venture\-backed internet infrastructure network building Africa’s backbone. The company aggregates underutilized telecom infrastructure, fiber, subsea cables, and data centers, and provides ISPs with scalable access to bandwidth without traditional upfront costs. Share’s network spans thousands of kilometers of fiber, 12 infrastructure providers, and 10 data centers, reaching over 8 million people across East Africa. At the network level, Share operates a RADIUS proxy architecture that authenticates ISP subscribers, provisions their internet access, and coordinates with partner BNG (Broadband Network Gateway) equipment. The platform must coexist with existing ISP infrastructure, not replace it. This means every deployment involves real BNG configuration, real RADIUS authentication, and real subscriber traffic. This role sits at the intersection of network engineering and systems engineering. You will own the infrastructure that makes internet access work for Share’s partner ISPs. **The role** ============ We are hiring a Systems Engineer to own Share’s network\-facing infrastructure: the FreeRADIUS proxy servers that authenticate ISP subscribers, the provisioning pipeline that pushes credentials and plan attributes to per\-partner RADIUS servers, the BNG integration layer, and the deployment and monitoring of all systems infrastructure. You will work directly with the network team (who handle ISP\-side BNG configuration) and the software team (who build the APIs that drive provisioning). This is a hands\-on role. You will configure FreeRADIUS servers, write deployment scripts, troubleshoot authentication failures on production networks, and design the infrastructure that scales from 5 ISP partners to 50\. You will be the person the team calls when a subscriber can’t authenticate or when a new ISP’s BNG doesn’t behave as expected. **What you will own** ===================== * **FreeRADIUS proxy architecture:** Share operates a central RADIUS proxy that routes authentication requests to per\-partner FreeRADIUS servers. The proxy uses a failover mechanism (soft reject attribute clearing failover to partner pool) to determine whether a subscriber is Share\-managed or partner\-managed. You will own the configuration, deployment, monitoring, and scaling of this architecture. * **Per\-partner FreeRADIUS servers:** Each ISP partner gets a dedicated FreeRADIUS instance with a Hono API overlay for programmatic CRUD of subscriber credentials and plan attributes. You will manage these instances, their database backends, and their API endpoints. * **BNG integration support:** Work with the network team to define and validate the BNG\-side configuration changes required for each ISP partner (RADIUS pointer, Share\-specific subnet, source\-based routing, pool configuration). You are the bridge between the software platform and the ISP’s physical infrastructure. * **Provisioning pipeline:** The software platform’s Provisioning service pushes subscriber credentials and plan attributes to FreeRADIUS. You own the receiving end — ensuring the FreeRADIUS API, database, and RADIUS configuration are correct and performant. * **Infrastructure and deployment:** Server provisioning, deployment automation, monitoring, logging, and security for all systems infrastructure. GitHub Actions pipelines, SSH\-based deployments, VM management. * **CoA (Change of Authorization):** Design and implement the CoA endpoint on per\-partner FreeRADIUS servers for real\-time plan changes and session disconnects without re\-authentication. **Technical environment** ========================= **RADIUS and network authentication** * FreeRADIUS (v3 in production, v4 evaluation in progress) — proxy configuration, virtual servers, module configuration (sql, rest, files) * RADIUS protocols: Access\-Request/Accept/Reject, Accounting (Start/Interim/Stop), CoA (Disconnect\-Request, CoA\-Request) * PPPoE authentication flow: subscriber CPE BNG RADIUS proxy per\-partner RADIUS response with speed/pool/timeout attributes * MikroTik RouterOS BNG configuration (the network team handles this, but you need to understand the RADIUS\-facing side) * Per\-user flat attributes (speed, IP pool, session timeout) pushed via Hono API to FreeRADIUS SQL backend **Systems and infrastructure** * Linux server administration (Ubuntu) * Docker containerization for FreeRADIUS instances and supporting services * Hono (lightweight Node.js framework) for the FreeRADIUS API overlay * PostgreSQL for RADIUS user databases (radcheck, radreply, radacct tables) * GitHub Actions for CI/CD, SSH\-based deployment to VMs * Monitoring: Loki \+ Pino for structured logging, Sentry for error tracking **Integration points with the software platform** * NestJS Provisioning microservice calls your FreeRADIUS API to push/update/delete subscriber credentials * Kafka events trigger provisioning actions (PROVISION\_SUBSCRIBER, UPDATE\_PLAN\_ATTRIBUTES, DELETE\_RADIUS\_CREDENTIALS) * The proxy’s routing decision (Share vs partner) determines the subscriber’s billing path **Requirements** ================ **Non\-negotiable** * 5\+ years of professional systems engineering or network engineering experience, with at least 2 years working directly with RADIUS (FreeRADIUS, Radiator, or NPS) in a production ISP or telecommunications environment * Deep FreeRADIUS expertise. You can configure virtual servers, write unlang policies, set up proxy realms, configure SQL modules, and debug authentication failures from packet captures. * Strong Linux systems administration. You manage production servers, write deployment scripts, configure firewalls, and troubleshoot networking issues at the OS level. * Understanding of PPPoE authentication, DHCP, IP pool management, and how BNGs interact with RADIUS servers. You don’t need to be a MikroTik expert, but you need to understand what the BNG expects from RADIUS. * Experience deploying and managing infrastructure in production — not just dev environments. You understand uptime requirements, failover, and what happens when a RADIUS server goes down (subscribers can’t authenticate). * Comfortable with scripting and light application development. You don’t need to be a full\-stack developer, but you should be able to write and maintain a Hono/Express API, work with SQL databases, and automate deployments. **Strong preference** * Experience in East African ISP or telecommunications infrastructure. Understanding of the operational realities: MikroTik\-dominant networks, mixed vendor environments, bandwidth constraints, and the practical challenges of managing subscriber authentication at scale in this market. * Experience with FreeRADIUS proxy configurations (proxying between multiple RADIUS servers with failover logic). * Experience with CoA (Change of Authorization) and Disconnect\-Message implementation. * Docker and container orchestration for networking services. * Experience working alongside software engineering teams — you can read a NestJS service, understand an event\-driven architecture diagram, and communicate technical constraints clearly to developers. **AI\-augmented engineering (required mindset)** Share operates with AI tools as a core part of engineering workflows. This applies to systems engineering as much as software development. Our infrastructure documentation, configuration templates, troubleshooting runbooks, and deployment scripts are all developed with AI assistance. What this means for you: * You use AI tools (Claude, ChatGPT, Copilot, or similar) for configuration generation, troubleshooting, documentation, and scripting. You don’t memorize FreeRADIUS syntax — you know what you need and use AI to get there faster. * You are comfortable with AI\-generated specifications and can validate them against real\-world behavior. When a spec says “configure source\-based routing on the BNG,” you know whether that’s correct for MikroTik and can flag when it’s not. * You see AI as a way to handle the breadth of systems knowledge required for this role (RADIUS, Linux, networking, databases, deployment, monitoring) without needing to hold it all in your head. * You contribute to the team’s AI workflows by writing clear, structured documentation that both humans and AI can work with. **What we offer** ================= * A seat at the table while we build the technical backbone of Africa’s next\-generation internet — the decisions you make here will be visible in how entire ISP partners run their networks. * Competitive salary and meaningful equity in a mission\-driven, investor\-backed company (US\-incorporated; Kenya operating entity). * Private health and wellness benefits — we’ll walk through these during the process. * A high\-ownership environment with a steep but well\-supported learning curve, and a team that writes things down.